Monday, June 23, 2014

The New Canadian Anti-SPAM Law and Your Business

This morning, I hosted an online webinar entitled The New Canadian Anti-SPAM Law and Your Business. We did it using Google's Hangout On Air feature that allows virtually unlimited numbers of people to attend live and it creates a handy YouTube video of the entire session for future reference.

You'll see from the presentation that I'm not a big fan of the law, but it's going to be the law on July 1, 2014 and businesses need to get their ducks in a row if they haven't already.

If you're looking for specific advice about compliance, feel free to contact me at david.fraser@mcinnescooper.com.


Wednesday, June 18, 2014

Henry v Bell Mobility: Another Federal Court case shows PIPEDA damages are hardly worth pursuing absent evidence of actual harm

The Federal Court, in the recently issued decision in Henry v Bell Mobility 2014 FC 555 (not yet on CanLII or the Court's site) has awarded a very modest sum of damages to a customer of Bell Mobility whose phone account was accessed by an impostor. At the hearing before the Federal Court, Bell did not contest liability so all the Court had to consider was the appropriate measure of damages. Nevertheless, the facts are relevant: An individual was able to convince a customer service representative employed by the mobile phone company to grant her access to the complainant's account. She was provided with general account information and the last seven numbers dialed. The impostor was also allowed to make changes to the account.

The claimant alleged that he suffered a lost business opportunity as a result of the impostor then contacting an intended business associate of the claimant. However, the claimant did not offer any compelling evidence to support this business opportunity. Instead of the compensatory damages of $35,500.00, punitive damages of $5,000.00, general damages of $5,000.00 and legal costs of $4,000.00, the Court awarded $2,500 in general damages plus $1,000 in costs. The complainant had argued that the Court should follow Chitraker v Bell, but the court was not convinced.

[26] Chitrakar is distinguishable from the current case in that here Bell Mobility has taken responsibility for the breach of Mr. Henry's privacy rights; it has put in place steps to better train CSRs; it has not in any way benefited from the breach; and, has acknowledged that Mr. Henry is entitled to damages in keeping with the jurisprudence of this Court. Bell Mobility argued that damages in the range of $1,500 - $2,000 was more than adequate to compensate Mr. Henry in these circumstances.

[27] Having considered all of the evidence and the jurisprudence and given the circumstances under which the woman cajoled the Bell representative to make the changes to the account and the breadth of the information disclosed it is my view that an award of $2,500.00 is appropriate. Mr. Henry was self-represented at trial although he had counsel on record assisting him earlier in the case. In all of the circumstances, costs in the amount of $1,000.00 will cover disbursements and legal costs.


Interestingly, there is no mention of Jones v Tsige; the court only discusses PIPEDA cases.

What's the moral of this story? Absent any actual, provable harm, PIPEDA damages are hardly worth pursuing.

Friday, June 13, 2014

R v Spencer: Supreme Court rules internet users have a reasonable expectation of privacy and anonymity online

[Note: this post is a work in progress, and will be updated as I digest the decision.]

This morning, the Supreme Court of Canada released its decision in R v Spencer, 2014 SCC 43.

The case, on appeal from the Saskatchewan Court of Appeal, has finally provided some certainty regarding the expectation of privacy that all Canadians enjoy in their online activities. All internet users expose their IP addresses to the sites they visit and the computers they connect to, but generally it is only the internet service provider who can connect that innocuous string of digits to a real identity.

In this case, the police had obtained information about an internet user from his internet service provider without a warrant. The police asked for it using a "PIPEDA request" and the ISP simply provided it, relying on a broad provision in PIPEDA which -- in its view -- permits certain disclosures to law enforcement.

I am still digesting the decision, but some very important conclusions from the case:

  • Internet users have a reasonable expectation of anonymity in their online activities

    Contrary to the views of most police agencies and the government of Canada, this information is not innocuous "phone book information" but "Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage."

  • A police request to the ISP for customer information amounts to a "search" for Charter purposes
  • The fact that an ISP may be able to disclose information pursuant to s. 7(3)(c.1) of PIPEDA or the terms of use is relevant to the expectation of privacy, but not determinative of it
  • The request by the police had no "lawful authority" since they had no authority to compel the production of the information

There has been much controversy surrounding the term "lawful authority" in PIPEDA, which permits an organization to disclose personal information without consent in connection with an investigation where the police have identified their "lawful authority" to obtain the information. The police have generally argued that an investigation is sufficient to satisfy that. The Court disagreed:

[62] Section 7(3)(c.1)(ii) allows for disclosure without consent to a government institution where that institution has identified its lawful authority to obtain the information. But the issue is whether there was such lawful authority which in turn depends in part on whether there was a reasonable expectation of privacy with respect to the subscriber information. PIPEDA thus cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.

[63] I am aware that I have reached a different result from that reached in similar circumstances by the Ontario Court of Appeal in Ward, where the court held that the provisions of PIPEDA were a factor which weighed against finding a reasonable expectation of privacy in subscriber information. This conclusion was based on two main considerations. The first was that an ISP has a legitimate interest in assisting in law enforcement relating to crimes committed using its services: para. 99. The second was the grave nature of child pornography offences, which made it reasonable to expect that an ISP would cooperate with a police investigation: paras. 102-3. While these considerations are certainly relevant from a policy perspective, they cannot override the clear statutory language of s. 7(3)(c.1)(ii) of PIPEDA, which permits disclosure only if a request is made by a government institution with “lawful authority” to request the disclosure. It is reasonable to expect that an organization bound by PIPEDA will respect its statutory obligations with respect to personal information. The Court of Appeal in Ward held that s. 7(3)(c.1)(ii) must be read in light of s. 5(3), which states that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. This rule of “reasonable disclosure” was used as a basis to invoke considerations such as allowing ISPs to cooperate with the police and preventing serious crimes in the interpretation of PIPEDA. Section 5(3) is a guiding principle that underpins the interpretation of the various provisions of PIPEDA. It does not allow for a departure from the clear requirement that a requesting government institution possess “lawful authority” and so does not resolve the essential circularity of using s. 7(3)(c.1)(ii) as a factor in determining whether a reasonable expectation of privacy exists.

[64] I also note with respect to an ISP’s legitimate interest in preventing crimes committed through its services that entirely different considerations may apply where an ISP itself detects illegal activity and of its own motion wishes to report this activity to the police. Such a situation falls under a separate, broader exemption in PIPEDA, namely s. 7(3)(d). The investigation in this case was begun as a police investigation and the disclosure of the subscriber information arose out of the request letter sent by the police to Shaw.

[65] The overall impression created by these terms is that disclosure at the request of the police would be made only where required or permitted by law. Such disclosure is only permitted by PIPEDA in accordance with the exception in s. 7, which in this case would require the requesting police to have “lawful authority” to request the disclosure. For reasons that I will set out in the next section, this request had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. I conclude that, if anything, the contractual provisions in this case support the existence of a reasonable expectation of privacy, since the Privacy Policy narrowly circumscribes Shaw’s right to disclose the personal information of subscribers.

[66] In my view, in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

Here is the headnote summary of the decision:

Constitutional law — Charter of Rights — Search and seizure — Privacy — Police having information that IP address used to access or download child pornography — Police asking Internet service provider to voluntarily provide name and address of subscriber assigned to IP address — Police using information to obtain search warrant for accused’s residence — Whether police conducted unconstitutional search by obtaining subscriber information matching IP address — Whether evidence obtained as a result should be excluded — Whether fault element of making child pornography available requires proof of positive facilitation — Criminal Code, R.S.C. 1985, c. C‑46, ss. 163.1(3), 163.1(4), 487.014(1) — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 7(3)(c.1)(ii) — Charter of Rights and Freedoms, s. 8.

The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store child pornography through an Internet file sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. The request was purportedly made pursuant to s. 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act (PIPEDA). This led them to the accused. He had downloaded child pornography into a folder that was accessible to other Internet users using the same file sharing program. He was charged and convicted at trial of possession of child pornography and acquitted on a charge of making it available. The Court of Appeal upheld the conviction, however set aside the acquittal on the making available charge and ordered a new trial.

Held: The appeal should be dismissed.

Whether there is a reasonable expectation of privacy in the totality of the circumstances is assessed by considering and weighing a large number of interrelated factors. The main dispute in this case turns on the subject matter of the search and whether the accused’s subjective expectation of privacy was reasonable. The two circumstances relevant to determining the reasonableness of his expectation of privacy in this case are the nature of the privacy interest at stake and the statutory and contractual framework governing the ISP’s disclosure of subscriber information.

When defining the subject matter of a search, courts have looked not only at the nature of the precise information sought, but also at the nature of the information that it reveals. In this case, the subject matter of the search was not simply a name and address of someone in a contractual relationship with the ISP. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage.

The nature of the privacy interest engaged by the state conduct turns on the privacy of the area or the thing being searched and the impact of the search on its target, not the legal or illegal nature of the items sought. In this case, the primary concern is with informational privacy. Informational privacy is often equated with secrecy or confidentiality, and also includes the related but wider notion of control over, access to and use of information. However, particularly important in the context of Internet usage is the understanding of privacy as anonymity. The identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. Subscriber information, by tending to link particular kinds of information to identifiable individuals may implicate privacy interests relating to an individual’s identity as the source, possessor or user of that information. Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure. In this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized in other circumstances as engaging significant privacy interests.

There is no doubt that the contractual and statutory framework may be relevant to, but not necessarily determinative of whether there is a reasonable expectation of privacy. In this case, the contractual and regulatory frameworks overlap and the relevant provisions provide little assistance in evaluating the reasonableness of the accused’s expectation of privacy. Section 7(3)(c.1)(ii) of PIPEDA cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. It would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent. The contractual provisions in this case support the existence of a reasonable expectation of privacy. The request by the police had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. In the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. Therefore, the request by the police that the ISP voluntarily disclose such information amounts to a search.

Whether the search in this case was lawful will be dependent on whether the search was authorized by law. Neither s. 487.014(1) of the Criminal Code, nor PIPEDA creates any police search and seizure powers. Section 487.014(1) is a declaratory provision that confirms the existing common law powers of police officers to make enquiries. PIPEDA is a statute whose purpose is to increase the protection of personal information. Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, the police do not gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information. The conduct of the search in this case therefore violated the Charter. Without the subscriber information obtained by the police, the warrant could not have been obtained. It follows that if that information is excluded from consideration as it must be because it was unconstitutionally obtained, there were not adequate grounds to sustain the issuance of the warrant and the search of the residence was therefore unlawful and violated the Charter.

The police, however, were acting by what they reasonably thought were lawful means to pursue an important law enforcement purpose. The nature of the police conduct in this case would not tend to bring the administration of justice into disrepute. While the impact of the Charter‑infringing conduct on the Charter protected interests of the accused weighs in favour of excluding the evidence, the offences here are serious. Society has a strong interest in the adjudication of the case and also in ensuring the justice system remains above reproach in its treatment of those charged with these serious offences. Balancing the three factors, the exclusion of the evidence rather than its admission would bring the administration of justice into disrepute. The admission of the evidence is therefore upheld.

There is no dispute that the accused in a prosecution under s. 163.1(3) of the Criminal Code must be proved to have had knowledge that the pornographic material was being made available. This does not require however, that the accused must knowingly, by some positive act, facilitate the availability of the material. The offence is complete once the accused knowingly makes pornography available to others. Given that wilful blindness was a live issue and that the trial judge’s error in holding that a positive act was required to meet the mens rea component of the making available offence resulted in his not considering the wilful blindness issue, the error could reasonably be thought to have had a bearing on the trial judge’s decision to acquit. The order for a new trial is affirmed.

For some background on "PIPEDA requests", check out the blog posts tagged with "PIPEDA requests".

Tuesday, June 10, 2014

Why Friday's decision in R v Spencer will be a BIG DEAL for privacy

As I blogged yesterday, the Supreme Court of Canada has announced that it will release its decision in the appeal from Saskatchewan Court of Appeal in R v Spencer, 2011 SKCA 144. This decision, regardless of how the Court rules, will likely be a very big deal for privacy rights of customers of telecommunications service providers in Canada. It will hopefully decide whether Canadians have a reasonable expectation of privacy in information that is attached to an IP address.

Here's some background (mainly drawn from the Court of Appeal decision) and why this is a big deal.

The police detected somebody -- at that time unknown -- using the the file sharing program and protocol LimeWire to share child pornography. At that stage, all they had was the IP address of the computer or network connection being used. Using publicly available tools, they determined the IP address was allocated by the internet service provider, Shaw Communications. The police officer, though he likely had sufficient grounds to get a production order under the Criminal Code simply wrote to the ISP with the following request:

Constable Darren Parisien … is investigating a criminal code offence pertaining to child pornography and the internet. We have opened [sic] file investigation in relation to this investigation.

Pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA), we request the disclosure of customer identifying information including but not limited to name, internet service provider records, address of service, current service status and phone number relevant to the following:

1. Internet Protocol Address 70.64.12.102 on 2007-August-31 at 1246 hours (Local Saskatchewan time)

This information is being requested to assist in an ongoing investigation. We declare that Constable Darren Parisien of the Saskatoon Police Service Organized Crime Unit – Vice Section [sic] has the lawful authority to obtain the information and that the following section of PIPEDA is satisfied for this request: [full text of s. 7(3)(c.1) omitted]

This request specifically satisfies Paragraph 7(3)(c.1)(ii).


And, with that, the police got the customer name and address from the ISP. That information was used to get a search warrant of Spencer's house and he was subsequently arrested. At the trial, Spencer argued that the warrantless disclosure of his information by Shaw was a violation of his Charter rights. This motion was denied and he appealed to the Court of Appeal on this issue.

The Court of Appeal agreed, finding that any objective expectation of privacy was effectively gutted by the Shaw privacy policy and acceptable use policy which reserves to Shaw a very broad discretion to disclose personal information to the police. There was no real discussion about whether such terms of use are ever read by customers and whether they really should temper the expectation of privacy that most of us have about our internet usage.

[42] In summary, neither its contractual relationship with Mr. Spencer’s sister, as set out in the Services Agreement, nor PIPEDA prohibited Shaw from disclosing the Disclosed Information in the circumstances of this case; rather, each clearly provided Shaw with the discretion to disclose information to the police in these exact circumstances, and Shaw had Mr. Spencer’s sister’s express, informed consent to do so. The sum of these factors militates very strongly against a finding that Mr. Spencer’s privacy expectation was reasonable.

In short, the police can ask for and, under the Court's reading of PIPEDA, the internet service provider can provide the customer's personal information.

So what's the big deal? This is not an exceptional case; what's exceptional is that the Supreme Court of Canada is going to weigh in on whether a Canadian has an expectation of privacy in his or her internet activities. We know that thousands of times a year the police go to internet service providers asking for information about their customers and thousands of times a year, this information is provided. Just a quick search of CanLII shows this. Just search for "pipeda request" and you'll get a dozen reported cases. They show voluntary cooperation by such internet service providers as Uniserve, Shaw, Bell Sympatico, Northwestel, and Rogers. (Recently, Rogers and Teksavvy disclosed in their respective transparency reports a high level of providing customer information in similar circumstances withou a warrant. For Rogers, it provided customer information 711 times in 2012/2013.)

As I understand it, the form of letter was a result of the coordinated effort of law enforcement and a group of internet service providers who have agreed to provide warrantless access to customer account information in connection with child exploitation investigations. They are designed to satisfy the requirements of Section 7(3)(c.1)(ii) of PIPEDA which permits disclosures of personal information to the police where they have the "lawful authority" to obtain the information and the information relates to "enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law".

It was exactly this sort of disclosure that was so controversial in Vic Toews' Bill C-30. That bill, if passed, would have permitted police officers to demand customer names and addresses connected to a known IP address. ISPs would have been required to hand over the information. The controversy stemmed from the fact that these demands are unaccountable and are not subject to ANY supervision by the courts. The "request" at issue in R v Spencer is the same: made without a warrant based on reasonable grounds, completely unaccountable and with no judicial oversight. In addition, the relevant individual is NEVER informed of the fact that the request was made or that the information was disclosed. To top it off, there is no information under oath so there is no disincentive to lie in these PIPEDA requests. (I find it to be telling that nowhere near 711 charges resulted from the requests made of Rogers.)

So what's the big deal with having an ISP connect an IP address with a customer's name and address? There has been some suggestion by the law enforcement community that a customer's name and address is just "phone book information" and there's no expectation of privacy in that. That misses the point and shows contempt for the right to privacy. A customer’s name and address, when connected with an IP address is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their "offline" life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that IP address that can often be traced back to an individual or a small group of people. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities pierces the reasonable expectation of anonymity and amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. This is why, in my view, judicial supervision should be required. We'll see whether the Supreme Court of Canada agrees with this view ...

At the very least, I expect the Supreme Court of Canada will provide some clear guidance on whether -- under the Charter of Rights and Freedoms -- there is a reasonable expectation of privacy and anonymity on the internet that can only be pierced by an order from a judge, who is satisfied on information under oath that there are reasonable grounds to believe a crime has been committed and that the order is necessary to uncover evidence of the offender. Stay tuned ...

Monday, June 09, 2014

Supreme Court to release warrantless ISP disclosure decision on Friday

The Supreme Court of Canada has just announced that it will release its decision in R. v. Spencer on Friday. For those concerned with "lawful access" and warrantless disclosure of telco customer information, this will be a biggie.

Here's the summary of the case ....

SCC Cases (Lexum) - Judgments to be Rendered in Appeals:

34644 Matthew David Spencer v. Her Majesty the Queen

Canadian Charter of Rights and Freedoms - Search and seizure - Whether the Court of Appeal erred in concluding that there was no reasonable expectation of privacy in the information attached to an IP address - If the appellant’s rights under s. 8 of the Charter were breached, whether the evidence gathered upon the execution of the search warrant should be excluded pursuant to s. 24(2) of the Charter - Whether the Court of Appeal erred in overturning the trial judge’s decision according to which the appellant did not have the requisite mens rea to commit the offence of making available child pornography, on the basis that the trial judge failed to consider the question of wilful blindness on the part of the appellant - Criminal Code, R.S.C. 1985, c. C-46, s. 163.1(3).

The appellant downloaded child pornography from the Internet using a peer-to-peer file-sharing software program that connects users over the Internet. He stored child pornography in his shared folder and did not override the software’s default settings that made his shared folder accessible to other users from which they could obtain downloads of his files. A police officer searched his folder and discovered the pornographic files. The officer could not identify the owner of the folder but did determine that the Internet Protocol address being used by the owner of the folder had been assigned by Shaw Communications. The police wrote to Shaw and requested information identifying the assignee at the relevant time. Shaw identified the appellant’s sister. The police obtained a warrant and searched her residence, where they seized the respondent’s computer. The appellant was charged with possession of child pornography and making child pornography available.

Origin of the case: Saskatchewan

File No.: 34644

Judgment of the Court of Appeal: November 25, 2011

Counsel:

Aaron A. Fox, Q.C. and Darren K. Kraushaar for the appellant

Anthony B. Gerein for the respondent

Saturday, June 07, 2014

Canadian telcos release transparency reports

In the past week, in a significant development, both Teksavvy and Rogers have released information that provides much greater insights into government demands for personal information from telecommunications companies.

Teksavvy is one of the largest independent internet service providers and they released their report in the form of a comprehensive response to the letter sent to them by the Citizen Lab's Chris Parsons (See: Citizen Lab calls for transparency by Canadian telcos). Many may remember that Teksavvy was the ISP that went to court to challenge a demand by a Hollywood studio for information about users who were alleged to have violated copyright.

Rogers is one of Canada's largest "full service" telecommunications service providers, offering landline and mobile telephone services, in addition to cable internet. Their report is slightly less detailed, presumably because they are very constrained by the government (by the Solicitor General's guidelines on lawful interception).

This is a great advance in transparency and a good first step. It also provides some useful information for the discussion and debate about warrantless disclosures of personal information by telecommunications service providers. The reports both show that in the period under discussion, both Rogers and Teksavvy disclosed customer information without a warrant in a range of circumstances.

The Teksavvy report shows they provided customer names and addresses when provided with an IP address in at least 16 out of the 17 such disclosures. The circumstances of those disclosures are not reported. (To be fair, they say in their letter that they will no longer do this.) The Rogers report shows they did the same in what they called

Child sexual exploitation emergency assistance requests:

Legal authority: The Criminal Code and PIPEDA. Details: We assist police during child exploitation investigations. Examples of info provided: Confirming a customer’s name and address when provided with an IP address so that police can get a search or arrest warrant to stop the sexual exploitation of a child.


The numbers of these warrantless disclosures are very high: 711 such disclosures. These are presumably controversial PIPEDA Requests, which a number of ISPs have agreed to cooperate with law enforcement when they are told it is connected with a child exploitation investigation. They cite PIPEDA as the authority, though the section in question (s. 7(3)(c.1)) does not require disclosure and is only applicable when the law enforcement agency has shown its "lawful authority" to demand the information. There is not yet any consensus about what "lawful authority" actually means.

For some really great reporting on these transparency reports, check out:

Now that Rogers in particular has made this disclosure, I'm looking forward to the other large telcos following suit.